Genvejsmenu:
S - Indhold
1 - Forside
2 - Nyheder
3 - Oversigt
4 - Søg

Binding Corporate Rules (BCR)

The transfer of personal data to third countries requires a separate legal basis in Chapter 7 of the Act on Processing of Personal Data. This requirement also applies in cases that do not involve the transfer of sensitive personal data, cf. sections 7 and 8 of the Act on Processing of Personal Data.
 
In addition, section 27(5) of the Act on Processing of Personal Data states that the transfer of personal data to third countries must always take place in accordance with the provisions of the Act on Processing of Personal Data. This means that there must be a legal basis for the processing (including dislosure) of data in the processing rules in Chapter 4 of the act, and that the other rules of the act must also be observed. This requirement also applies when the corporate rules described below are applied.

According to section 27(4) of the Act on Processing of Personal Data, authorisation must be obtained from the Danish Data Protection Agency in order to transfer personal data to third countries that do not fulfil section 27(1) of the act, and the controller seeks to provide adequate guarantees for the protection of the rights of the data subject.

In addition to the European Commission’s standard contractual clauses, it is also possible to provide adequate guarantees pursuant to section 27(4) of the Act on Processing of Personal Data by utilising so-called binding corporate rules (BCR).

BCR are rules enacted for groups with companies in multiple countries. The rules must be binding for all units and companies in the group and may not be used as a legal basis for transfer of data to companies that are not a part of the group.

When the rules are approved by the data protection authorities in the EU countries from which the group wishes to transfer data, it is permitted, in principle, to transfer data between the group’s companies, given that they fulfil the requirements in the binding corporate rules and the other rules of the data protection legislation. Note, however, that the binding corporate rules solely provide a legal basis to transfer the data. Thus, a separate legal basis is required to disclose the data, cf. section 27(5).

The Article 29 Working Party has approved several statements (working papers – WP) on BCR, covering subjects including the requirements for structuring, content etc. You can find the group’s statements on this website under “Internationalt” – “Artikel 29-gruppen” – “Artikel 29-gruppens dokumenter”.
 
The requirements for the structure and content of binding corporate rules can be found in the Article 29 Working Party’s statements WP 74 and WP 108. The group has also produced a template that can be used when a group requests authorisation for the transfer of personal data to third countries on the basis of BCR, and a template to assist with the structure of a set of binding corporate rules; which can be found in the statements WP 133 and WP 154. Lastly, the group has prepared a checklist of elements and principles that must be included in a set of binding corporate rules, and an FAQ regarding BCR: WP 153 and WP 155.

BCR covers the transfer of data between multiple companies and countries. Therefore, the rules must typically be approved by multiple EU countries before transmission can take place. In connection with this, the Article 29 Working Party has approved a procedure to ensure that the binding corporate rules can be approved by the data protection authorities in all the EU countries from which the group wishes to transfer personal data. A description of the procedure can be found in WP 107.

The procedure begins with the binding corporate rules being submitted to the data protection authority in the EU country in which the group’s European headquarters is located. Then, the relevant authority coordinates approval from the other involved EU countries, after which authorisation can be issued for the transfers. This means that a Danish company wishing to utilise the binding corporate rules need only send the binding corporate rules to the Danish Data Protection Agency if the group’s European headquarters is located in Denmark.
 
A company that is part of a group headquartered in another EU country must only submit a request for authorisation pursuant to section 27(4) of the Act on Processing of Personal Data. The Danish Data Protection Agency will automatically receive the binding corporate rules from the data protection authority in the country where the group’s headquarters is located. When the binding corporate rules are approved, the company will have to submit an application to the Danish Data Protection Agency for authorisation to transfer personal data based on the binding corporate rules pursuant to section 27(4) of the Act on Processing of Personal Data. Then, the Danish Data Protection Agency will issue an authorisation to the company. You can find an example of an authorisation (Danish version) here.